FTC issues $3 million fine for security camera firm, issuing penalties for a range of violations
The Federal Trade Commission (FTC) said it will fine the security camera company Verkada $2.95 million over allegations that the firm’s poor security practices led to a hacker breaking into customers’ devices as well as accessing personal data.
The company is also accused of spamming potential clients, sending more than 30 million email ads over 3 years. As part of the settlement, Verkada will design and put in place a comprehensive information security program to help prevent future incidents.
A federal judge must sign off on the proposed order before it takes effect.
The monetary fine stems in part from allegations that Verkada violated the CAN-SPAM Act [Controlling the Assault of Non-Solicited Pornography And Marketing] by flooding potential customers with emails advertising its services and not giving them a way to unsubscribe.
The FTC said the fine is the biggest it has ever secured for a CAN-SPAM violation.
In addition to the CAN-SPAM violations, two security breaches occurred at Verkada between December 2020 and March 2021. The complaint alleges that Verkada did not fix security vulnerabilities after a February 2021 assessment of security practices from an outside cybersecurity consultant.
In the latter hack, which occurred weeks later, video footage from more than 150,000 internet-connected Verkada cameras, as well as physical addresses, audio recordings and customer Wi-Fi credentials, were compromised, an FTC press release said.
In a complaint, the FTC and the Justice Department alleged that the hacker behind the March 2021 incident was able to break into cameras monitoring particularly sensitive locations like psychiatric hospitals and women’s health clinics.
The intruder “viewed patients in psychiatric hospitals (including patients resting in hospital beds) and women’s health clinics, young children playing inside of a room, and incarcerated persons inside of their cells,” the complaint said.
Verkada security cameras also included so-called “people analytics” in addition to its live surveillance offering. Under this feature, customers could view “high resolution images of all consumers whose likenesses have either been recorded by their security cameras or uploaded to the Command platform, filter collected images by gender or clothing color, and search images through facial recognition or face matching technology,” the complaint alleges.
In 2018, the company allegedly advertised having “best-in-class data security tools and best practices to keep your data safe and protect the Verkada Products from unauthorized access.”
However, according to the complaint, Verkada neglected to follow through by not insisting upon “unique and complex passwords, adequately encrypting customer data, and implementing secure network controls,” an FTC press release said.
The security camera firm, which has thousands of customers worldwide, also was deceptive in its advertising by knowingly allowing staff and a venture capital investor to praise Verkada and its products in online reviews without sharing their affiliation with the company, the complaint alleges.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.